US2024267213A1PendingUtilityA1

System and Method for Security Against Bounded-Storage Mass Surveillance

Assignee: NTT RESEARCH INCPriority: Feb 8, 2023Filed: Feb 8, 2024Published: Aug 8, 2024
Est. expiryFeb 8, 2043(~16.6 yrs left)· nominal 20-yr term from priority
H04L 9/3093H04L 9/0825H04L 9/0869
43
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

The present disclosure relates to a computerized method and system for message encryption in a multi-user setting. The method involves receiving a message of arbitrary length for each user, storing the message in a computerized data store, and executing a setup to generate a master secret and public keys. A random variable is generated, and a function is defined based on this variable. A second secret is derived using a functional encryption scheme, resulting in a derived secret. The message is encrypted by generating a first random string, a second partially random string, and a ciphertext. The system also includes a method for decrypting the encrypted message, processing the derived secret and ciphertext to derive a string, and deriving a plaintext message from this string.

Claims

exact text as granted — not AI-modified
1 . A computerized method for message encryption in a multi-user setting, the method comprising:
 for each of multiple users:   receiving a message m of arbitrary length and storing the message m on a computerized data store;   storing a predetermined target ciphertext length;   executing a setup comprising:   instantiating a functional encryption scheme to generate a master secret key msk and master public key mpk;   generating a random variable v;   defining a function fv based on v;   deriving a second secret key by executing a key generation algorithm of the functional encryption scheme based on fv and the master secret key msk, resulting in a derived secret key skv;   encrypting the message m by:   generating a first random string r having a length based on the predetermined target ciphertext length;   generating an at least partially random second string u;   encrypting u under the functional encryption scheme using mpk to generate ciphertext c;   deriving z from r and u and m; and   outputting z, r and ciphertext c and storing ciphertext c in the computerized data store.   
     
     
         2 . The method of  claim 1 , wherein:
 u is based on two random strings and has a last bit set to be 0; and   the derivation of z from r and u and m is performed by:   applying a randomness extractor Ext to r and s, where s is a component of string u; and   generating z by xoring the results of the randomness extractor Ext with m and t, where t is a part of string u.   
     
     
         3 . The method of  claim 2 , wherein the extractor Ext is somewhere randomness extracting, wherein somewhere randomness extracting further comprises: for any random variables R 1 , . . . , R t  whose total joint min-entropy rate is α, for random and independent seeds S 1 , . . . , S t , close to an α-fraction of the extracted outputs Ext(R i ; S i ) is guaranteed to be jointly statistically indistinguishable from uniform, even given all the remaining extracted outputs and all the seeds. 
     
     
         4 . The method of  claim 3 , wherein the somewhere randomness extractor Ext(r; s) is constructed as:
 the input r∈{0, 1} n  is interpreted as an l-variate polynomial of total degree g over some field F 2     w    such that n=w·(l+gg);   the seed s=(s 1 , s 2 ) consists of s 1 ∈   2     w     l  and s 2 ∈   w/m   2     m   ; and   the output of the extractor is set to  r(s 1 ), s 2   , wherein the polynomial evaluation y=r(s 1 ) is performed over the field F 2     w    and the dot product  y, s 2    is performed over the first    2     m   .   
     
     
         5 . The method of  claim 1 , wherein the generated first random string has a length that closely approximates but is smaller than the length of the specified target ciphertext length. 
     
     
         6 . The method of  claim 1 , wherein defining a function fv based on v further comprises:
 receiving an input string;   based on the last bit of u, if the last bit is 0, then outputting s and t; and   if the last bit is 1, then outputting (s and t) xor v.   
     
     
         7 . A method for decrypting an encrypted message, the decryption method comprising:
 for each sender-receiver pair:   processing a derived secret key sky and a ciphertext c by a functional encryption decryption algorithm to derive a string s′;   deriving a plaintext message from s′, r and z;   wherein, the plaintext message was previously encrypted by:
 generating a first random string r having a length based on a specified target ciphertext length; 
 generating an at least partially random second string u; 
 encrypting u under a functional encryption scheme to generate c; and 
 deriving z from r and u and m; and 
 outputting z, r, and ciphertext c. 
   
     
     
         8 . The method of  claim 7 , further comprising executing the decryption method by:
 for i in the range of 1 to n, executing a public key decryption on the ciphertext ct i,w  using the sk i,w  and storing the output as the plaintext message.   
     
     
         9 . The method of  claim 7 , where deriving plaintext message from s′, r and z further comprises:
 decomposing s′ into s and t; and 
 applying a randomness extractor to r and s, and xoring the result with t. 
 
     
     
         10 . The method of  claim 9 , wherein the extractor Ext is somewhere randomness extracting, wherein somewhere randomness extracting further comprises: for any random variables R 1 , . . . , R t  whose total joint min-entropy rate is α, for random and independent seeds S 1 , . . . , S t , close to an α-fraction of the extracted outputs Ext(R i ; S i ) is guaranteed to be jointly statistically indistinguishable from uniform, even given all the remaining extracted outputs and all the seeds. 
     
     
         11 . The method of  claim 10 , wherein the somewhere randomness extractor Ext(r; s) is constructed as:
 the input r∈{0, 1} n  is interpreted as an l-variate polynomial of total degree g over some field F 2     w    such that n=w·(l+gg);   the seed s=(s 1 , s 2 ) consists of s 1 ∈   2     w     l  and s 2 ∈   2     m     w/m ; and   the output of the extractor is set to  r(s 1 ), s 2   , wherein the polynomial evaluation y=r(s 1 ) is performed over the field F 2     w    and the dot product  y, s 2    is performed over the first    2     m   .   
     
     
         12 . A computerized system for message encryption in a multi-user setting, the system comprising:
 a computerized processor configured for executing instructions for:   for each of multiple users:   receiving a message m of arbitrary length and storing the message m on a computerized data store;   storing a predetermined target ciphertext length;   executing a setup comprising:   instantiating a functional encryption scheme to generate a master secret key msk and master public key mpk;   generating a random variable v;   defining a function fv based on v;   deriving a second secret key by executing a key generation algorithm of the functional encryption scheme based on fv and the master secret key msk, resulting in a derived secret key skv;   encrypting the message m by:   generating a first random string r having a length based on the predetermined target ciphertext length;   generating an at least partially random second string u;   encrypting u under the functional encryption scheme using mpk to generate ciphertext c;   deriving z from r and u and m; and   outputting z, r and ciphertext c and storing ciphertext c in the computerized data store.   
     
     
         13 . The system of  claim 12 , wherein:
 u is based on two random strings and has a last bit set to be 0; and   the derivation of z from r and u and m is performed by:   applying a randomness extractor Ext to r and s, where s is a component of string u; and   generating z by xoring the results of the randomness extractor Ext with m and t, where t is a part of string u.   
     
     
         14 . The system of  claim 13 , wherein the extractor Ext is somewhere randomness extracting, wherein somewhere randomness extracting further comprises: for any random variables R 1 , . . . , R t  whose total joint min-entropy rate is α, for random and independent seeds S 1 , . . . , S t , close to an α-fraction of the extracted outputs Ext(R i ; S i ) is guaranteed to be jointly statistically indistinguishable from uniform, even given all the remaining extracted outputs and all the seeds. 
     
     
         15 . The system of  claim 14 , wherein the somewhere randomness extractor Ext(r; s) is constructed as:
 the input r∈{0, 1} n  is interpreted as an l-variate polynomial of total degree g over some field F 2     w    such that n=w·(l+gg);   the seed s=(s 1 , s 2 ) consists of s 1 ∈   2     w     l  and s 2 ∈   2     m     w/m ; and   the output of the extractor is set to  r(s 1 ), s 2   , wherein the polynomial evaluation y=r(s 1 ) is performed over the field F 2     w    and the dot product  y, s 2    is performed over the first    2     m   .   
     
     
         16 . The system of  claim 12 , wherein the generated first random string has a length that closely approximates but is smaller than the length of the specified target ciphertext length. 
     
     
         17 . The system of  claim 12 , wherein defining a function fv based on v further comprises:
 receiving an input string;   based on the last bit of u, if the last bit is 0, then outputting s and t; and   if the last bit is 1, then outputting (s and t) xor v.   
     
     
         18 . A system for decrypting an encrypted message, the decryption system comprising:
 a computerized processor configured for executing instructions:   for each sender-receiver pair:   processing a derived secret key sky and a ciphertext c by a functional encryption decryption algorithm to derive a string s′;   deriving a plaintext message from s′, r and z;   wherein, the plaintext message was previously encrypted by:
 generating a first random string r having a length based on a specified target ciphertext length; 
 generating an at least partially random second string u; 
 encrypting u under a functional encryption scheme to generate c; and 
 deriving z from r and u and m; and 
 outputting z, r, and ciphertext c. 
   
     
     
         19 . The system of  claim 18 , further comprising executing the decryption by:
 for i in the range of 1 to n, executing a public key decryption on the ciphertext ct i,w  using the sk i,w  and storing the output as the plaintext message.   
     
     
         20 . The system of  claim 18 , where deriving plaintext message from s′, r and z further comprises:
 decomposing s′ into s and t; and 
 applying a randomness extractor to r and s, and xoring the result with t. 
 
     
     
         21 . The system of  claim 20 , wherein the extractor Ext is somewhere randomness extracting, wherein somewhere randomness extracting further comprises: for any random variables R 1 , . . . , R t  whose total joint min-entropy rate is α, for random and independent seeds S 1 , . . . , S t , close to an α-fraction of the extracted outputs Ext(R 2 ; S i ) is guaranteed to be jointly statistically indistinguishable from uniform, even given all the remaining extracted outputs and all the seeds. 
     
     
         21 . The system of claim  21 , wherein the somewhere randomness extractor Ext(r; s) is constructed as:
 the input r∈{0, 1} n  is interpreted as an l-variate polynomial of total degree g over some field F 2     w    such that n=w·(l+gg);   the seed s=(s 1 , s 2 ) consists of s 1 ∈   2     w     l  and s 2 ∈   2     m     w/w ; and   the output of the extractor is set to  r(s 1 ), s 2   , wherein the polynomial evaluation y=r(s 1 ) is performed over the field F 2     w    and the dot product  y, s 2    is performed over the first    2     m   .

Join the waitlist — get patent alerts

Track US2024267213A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.